Retail and Consumer Products Law Roundup - December 2017

Manatt, Phelps & Phillips, LLP

In This Issue:
  • The Battle Over CFPB Leadership Continues
  • Cybersecurity Guidance on SEC Horizon
  • Pharmacies and Healthcare Facilities Await EPA’s Final Pharmaceuticals Rule
  • Lawmakers Seek to Keep Things Private
  • NLRB’s Noteworthy Developments
  • California Employers Face Multiple New Laws
  • Converse Runs Away With Dismissal Over De Minimis Bag Checks
  • Eight-Figure Settlements Continue for TCPA Disputes

The Battle Over CFPB Leadership Continues

By Richard E. Gottlieb, Partner, Financial Services Group | Charles E. Washburn, Jr., Partner, Financial Services Group

Although the first round in the battle over leadership of the Consumer Financial Protection Bureau went to President Donald Trump’s pick for the position, the fight continues, leaving the CFPB’s ongoing work very unsettled.

What happened

Just before outgoing Director Richard Cordray stepped down from his role at the CFPB, he appointed Chief of Staff Leandra English as deputy director in an apparent effort to circumvent any selection of an acting director by President Trump from taking over the leadership position. Ignoring Cordray’s maneuver, President Trump tapped Mick Mulvaney, already the director of the Office of Management and Budget (OMB), to take over as acting director at the CFPB.

English filed suit, but U.S. District Judge Timothy J. Kelly (a Trump nominee) sided with the president. Denying English’s request for a temporary restraining order, the court said the language of the Consumer Financial Protection Act, under which the deputy director serves as director in the event of the director’s “absence or unavailability,” did not apply to vacancy as a result of resignation.

Therefore, the Federal Vacancies Reform Act applied, putting the power to appoint a new director in the hands of the president, the court held. “On its face, the Vacancies Act does appear to apply to this situation,” Judge Kelly said. On Dec. 6, Ms. English filed an amended complaint and a motion for a preliminary injunction. Judge Kelly has issued an aggressive scheduling order through the rest of December, with a hearing on Ms. English’s motion currently scheduled for Dec. 22. Any decision by Judge Kelly would be appealable to the U.S. Court of Appeals, D.C. Circuit.

In the meantime, Mulvaney has moved aggressively in managing the CFPB, in part apparently to demonstrate what he perceives as a flaw in the CFPB’s structure, in that it places an inordinate amount of unchecked power in the hands of just one individual, saying in an interview that the authority wielded by the director of the CFPB “should frighten people.”

Why it matters

The battle at the CFPB continues to rage on, with a new complaint filed this month by a credit union alleging that the president’s appointment of Mulvaney was unconstitutional and amounts to “an illegal hostile takeover of the CFPB.” The Lower East Side People’s Federal Credit Union argues that with Mulvaney at the helm of the CFPB, its members are at risk. Until the litigation is finally resolved, the situation at the CFPB will continue to be unstable.

Cybersecurity Guidance on SEC Horizon

By Craig D. Miller, Partner, Financial Services Transactions

In a push for increased cybersecurity vigilance, the Securities and Exchange Commission indicated its plans to amend existing data security guidance, including the reporting of data breaches.

What happened

Speaking at a Practising Law Institute event in New York City, SEC Director of Corporation Finance William Hinman urged publicly traded companies to review their practices with regard to cybersecurity. More specifically, he suggested consideration of how a company internally disseminates information about potential breaches, the point at which senior managers get informed about suspected intrusions, and how companies report data breaches to their investors.

These issues are top of mind for the agency, Hinman said, and will likely be the subject of tweaks to the SEC’s data security guidance. “Current guidance is in pretty good shape,” he told attendees. But the agency will “touch [on] a couple of things that will be new” to the six-year-old guidance, such as how breach information gets disclosed internally and escalated to senior management. “I think this issue is important enough, wide-ranging enough that we should tackle it at the Commission level,” he added.

Also on the radar: ensuring that appropriate controls and practices are in place for preventing insider trading. “It would be wise for folks to re-examine their insider trading policies,” Hinman noted. Although he didn’t explicitly reference the incident, the topic was likely spurred by the recent Equifax data breach, where reports have claimed that three company executives sold nearly $2 million worth of shares in Equifax after they learned about the breach but before it was announced to the public.

While Hinman did not discuss a time frame for when the SEC might make the changes, his remarks echoed a similar sentiment shared by SEC Chair Jay Clayton when testifying before the Senate Banking Committee earlier this year. Clayton told legislators that companies need to disclose more cybersecurity information to their investors, and in the event of a breach, do it more quickly.

The SEC has increasingly focused on cybersecurity issues, including the creation in September of a new Cyber Unit to focus on misconduct involving hacking and threats to trading platforms, the spread of false information through electronic and social media, and misconduct involving distributed ledger technology.

Why it matters

The SEC’s current cybersecurity guidance was released in October 2011, a lifetime in the digital world and before the recent record-setting breaches such as that at Equifax. At the time, the agency did not mandate that public companies report every data breach to investors but instead discussed how a major attack could impact a company’s business, which would in turn necessitate the need for disclosure to investors. Based on the comments from current SEC leadership, it appears the agency could take a stronger line on disclosures as well as on enforcing insider trading restrictions in the context of an undisclosed data breach. Public companies should also closely evaluate any data breaches (or threats of data breaches) when drafting their periodic reports for the SEC.

Pharmacies and Healthcare Facilities Await EPA’s Final Pharmaceuticals Rule

By Ted Wolff, Partner, EnvironmentMatthew D. Williamson, Partner, Environmental Litigation

As of the time of publication, the Environmental Protection Agency (EPA) has just published its Fall Regulatory Agenda (December 14, 2017). The Regulatory Agenda establishes the agency’s rulemaking priority. In addition to foreshadowing President Trump and EPA Director Scott Pruitt’s scaling back of environmental regulations, notable here is that the agency proposes a July 2018 final rulemaking for the proposed regulation governing the management of hazardous waste pharmaceuticals. The comment period on the original proposed rule closed in late 2015. Over the course of the next several months, we will work with Agency contacts, state environmental regulators and stakeholders to track and assist in understanding EPA’s final rule incorporating responses to comments.

Stay tuned for Manatt’s updates and further analysis regarding the rule’s impact on retail pharmacies and other healthcare facilities. For more information, please contact Manatt partners Ted Wolff or Matt Williamson.

Lawmakers Seek to Keep Things Private

By Jeffrey S. Edelstein, Partner, Advertising, Marketing and Media

Federal lawmakers are considering the Consumer Privacy Protection Act of 2017, a new bill that would regulate the storage online of certain types of personal consumer information.

Introduced by Sen. Patrick Leahy (D-Vt.) and cosponsored by Sens. Ed Markey (D-Mass.), Richard Blumenthal (D-Conn.), Ron Wyden (D-Ore.), Al Franken (D-Minn.), Kamala Harris (D-Calif.) and Tammy Baldwin (D-Wisc.), the proposal would require companies that collect and hold data on at least 10,000 U.S. individuals to meet certain baseline privacy and data security standards to safely keep information obtained from consumers.

More specifically, the legislation mandates that companies encrypt information (or use similar protective technologies), conduct vulnerability testing and employee training, conduct due diligence before allowing third parties to acquire data, and destroy sensitive information that is no longer needed.

The measure protects categories of data, including Social Security numbers; financial account information (including credit card numbers and bank accounts); online usernames and passwords, such as email names and passwords; unique biometric data (fingerprints and “faceprints,” for example); information about a person’s physical and mental health; geolocation data; and private digital photographs and videos.

Data breach notification requirements are also included in the bill. Consumers must be notified of a breach “as expediently as possible and without unreasonable delay,” not to exceed seven days following the discovery of a security breach. An exception covers delays authorized for law enforcement or national security purposes.

In addition, companies must provide five years of appropriate identity theft prevention and mitigation services to consumers whose sensitive personally identifiable information has been—or is reasonably believed to have been—accessed or acquired.

Enforcement would be provided by state attorneys general, who would have the power to enjoin a practice that allegedly violates the Act, and to enforce compliance or impose a civil penalty “in an amount not greater than the product of the number of violations … and $16,500.”

Data breach notification violations are subject to a different scheme under the statute. Determinations of a violation and the amount of the penalty will be made “by the court sitting as the finder of fact.” If the court also finds that the violation was willful or intentional, the Act provides discretion to impose an additional penalty as long as it doesn’t exceed $10 million.

No private right of action was created by the bill, which would preempt state data security and breach notification laws weaker than those found in the bill.

To read the Consumer Privacy Protection Act of 2017, click here.

Why it matters: Spurred in part by the rash of massive data breaches in recent months (including Equifax’s disclosure that hackers obtained information on more than 140 million consumers in the United States), the proposed legislation already has the support of consumer groups such as Public Knowledge, the Consumer Federation of America, and the Center for Democracy and Technology. Given the current political impasse, passage of the bill appears to be an uphill battle.

NLRB’s Noteworthy Developments

Recent decisions from the National Labor Relations Board (NLRB) find the board overturning two of its previously-established standards. All of this happened last week, signaling a significant shift in the position of the NLRB. Among them, the NLRB overturned its standard for assessing the legality of employee handbooks, as established in the 2004 Lutheran Heritage Village-Livonia decision, with a 3-2 majority. The Lutheran Heritage standard held that an employee handbook policy is illegal if employees can “reasonably construe” that the policy prohibits them from exercising their rights under the National Labor Relations Act. In overturning the Lutheran Heritage decision, the board lays out three categories into which they will classify challenged rules: rules that are legal in all cases because they cannot be reasonably interpreted to interfere with workers’ rights or because any interference is outweighed by business interests, rules that are legal in some cases depending on their application, and rules that are always illegal because they interfere with workers’ rights in a way not outweighed by business interests.

The NLRB also reversed the decision it reached in the 2015 Browning-Ferris Industries (BFI) case, in which it had expanded the test for determining joint employment. The board voted 3-2 to overturn the standard set in BFI, which established that a company can be classed as a joint employer even if the employer exerts “indirect control” over employees. During the vote, the board reverted to its pre-BFI standard of “direct and immediate control,” stating that the BFI test jeopardized the stability of relationships between employers and employees. The board’s dissenters countered that the board majority failed to solicit the public’s perspective, and challenged the majority’s policy basis for reversing the BFI standard as “entirely speculative.”

Please stay tuned for more detailed analysis and further coverage in our upcoming newsletters.

California Employers Face Multiple New Laws

Why it matters

With several new employment-related measures recently signed into law, California employers should start preparing themselves now. Beginning on Jan. 1, 2018, employers with five or more employees in the state are prohibited from inquiring into applicants’ conviction histories prior to making an offer of employment. A.B. 1008 also sets forth a number of requirements about how employers may use conviction history to deny employment. Another law, the New Parent Leave Act, extends unpaid leave to bond with a new child within one year of the child’s birth, adoption or foster care placement to employers with at least 20 workers. Prior to S.B. 63, the leave was triggered only when employers had 50 or more employees. California also joined Oregon, Massachusetts, New York and a number of cities that ban employers from asking applicants for “salary history information,” a term that includes both compensation and benefits. Finally, S.B. 396 expanded the scope of the sexual harassment training that employers with at least 50 employees must provide to supervisors, with an additional mandate that as of Jan. 1, 2018, the training must cover harassment based on gender identity, gender expression and sexual orientation. Employers should take the time to familiarize themselves with all the new laws and coming changes.

Detailed discussion

Employers in California are facing a busy future with several new employment laws set to take effect in the coming months. The following provides an overview of some of the biggest changes.

  • After limiting employers’ ability to ask job applicants about any juvenile court matters last year, the California legislature enacted a broader “Ban the Box” law in 2017 that will take effect on Jan. 1, 2018. A.B. 1008 amended the Fair Employment Housing Act with a new provision that restricts an employer’s ability to make hiring decisions based on an applicant’s conviction records, forbidding consideration of conviction history until a conditional offer of employment has been extended. Applicable to employers with five or more workers, the law contains minimal exemptions (such as positions with criminal justice agencies) and prohibits inquiring about, considering or including on an application questions about conviction history. If an employer decides not to hire an applicant because of a prior conviction, the employer is required to conduct an individualized assessment to determine whether the history has a “direct and adverse relationship with the specific duties of the job that justif[ies] denying the applicant the position,” taking into account the nature and gravity of the criminal offense, the time that has passed, and the nature of the job. Once a preliminary determination has been made that the conviction history disqualifies the applicant from employment, written notice must be provided, giving the applicant five business days to respond and dispute the decision. A second notice must be provided with the final decision not to hire. Applicants can sue for alleged violations of the provision, requesting compensatory damages, attorneys’ fees and costs.
  • The California Family Rights Act required employers with 50 or more workers to provide unpaid leave of up to 12 weeks to bond with a new child within one year of the child’s birth, adoption or foster care placement. Now the New Parent Leave Act has broadened this requirement to employers with 20–49 employees in a 75-mile radius. Pursuant to S.B. 63, workers will be eligible to take leave once they have worked for the employer for at least 12 months and at least 1,250 hours. While an employee is on leave, the employer must continue to pay its share of the employee’s healthcare premiums, although it may recover this money under certain circumstances (if the employee fails to return to work after his or her leave expires, for example). If both parents work for the same company, leave can be limited to a combined total of 12 weeks and the employer can require the leave be taken concurrently. The new law takes effect in January 2018.
  • Joining a growing number of jurisdictions—including Delaware, Massachusetts, New York, Oregon and several cities—California employers are now prohibited from asking job applicants for “salary history information,” defined to include both compensation and benefits. A.B. 168 does permit employers to rely upon information that is shared by the applicant “voluntarily and without prompting,” although the state’s Fair Pay Act bans employers from relying solely on prior salary to justify any disparity in compensation. The new law, which takes effect on Jan. 1, 2018, applies to both public and private employers and also requires employers to provide applicants with the pay scale for a position upon “reasonable request.”
  • Mandatory sexual harassment training for supervisors got a tweak pursuant to S.B. 396. Beginning on Jan. 1, 2018, employers with 50 or more employees must now address harassment based on gender identity, gender expression and sexual orientation as part of the already required two hours of supervisory training that must be conducted every two years or within six months of an individual’s assumption of supervisory duties. The measure also contains an updated poster requirement.

To read A.B. 1008, click here.

To read S.B. 63, click here.

To read A.B. 168, click here.

To read S.B. 396, click here.

Converse Runs Away With Dismissal Over De Minimis Bag Checks

As the plaintiffs failed to establish that the employer’s bag checks took long enough to merit compensation, a California federal court dismissed the action. Eric Chavez alleged that he and other workers at Converse retail stores in the state were due wages for the unpaid time they spent waiting for and undergoing bag inspections when they exited the store premises. Converse countered with a study showing that the average combined time per employee was less than two minutes. Although the plaintiffs presented testimony from workers that some bag checks took more than one minute, the court ruled the unpaid time was de minimis. Chavez has already filed notice of appeal, arguing that the court should have waited to decide the case given that the California Supreme Court is currently considering whether de minimis time is compensable, answering a certified question from the U.S. Court of Appeals, Ninth Circuit in a case involving Starbucks.

Detailed discussion

A nonexempt hourly employee at a Converse retail store in Gilroy, CA, Eric Chavez was required to undergo an exit inspection each time he left the store during or after a shift. Each departure during his employment from September 2010 to October 2015 consisted of a visual inspection as well as a bag check, if he was carrying a bag. Converse did not pay Chavez for the time these exit inspections took or for the occasions when he had to wait for a manager to come to conduct the inspection.

Alleging violations of California’s Labor Code, Chavez filed a putative class action in 2015. The court certified a class of employees dating back to 2011, and Converse then filed a motion for summary judgment.

The employer offered a time and motion study that considered 436 exit inspections, breaking down each part of the process into waiting time, bag checks and visual inspections. The study found that 290 of the exits (66.5 percent) observed no wait time, while 120 out of 146 inspections (82.2 percent) had a wait time of 30 seconds or less.

As for the inspections themselves, the majority—67.7 percent—did not include a bag check. Where only a visual inspection occurred, the average duration was 2.3 seconds, with bag checks lasting less than 3 seconds and 100 percent of the bag checks observed taking less than 30 seconds.

Combining wait time, visual inspections and bag checks, the study found that 99.5 percent of the employees spent less than two minutes before exiting the premises. Relying on these findings, the employer argued that the unpaid time was de minimis and the suit should be dismissed.

Chavez challenged the study, providing an expert to critique it, although he did not offer his own study in response. He also proffered the deposition testimony of several coworkers, which he said demonstrated that employees spent a longer period of time for the inspections than shown by the study.

Considering the employer’s motion for summary judgment, U.S. District Judge Nathanael M. Cousins first acknowledged that whether the de minimis doctrine—which originated in the context of the federal Fair Labor Standards Act—applies to state law remains an unsettled question of law currently being decided by the California Supreme Court.

However, while the issue remains pending, the court said it remained bound by existing precedent applying the doctrine to claims under the Labor Code and moved forward with its analysis.

After a detailed review of the employer’s study, the critique offered by Chavez’s expert and the deposition testimony of 23 class members, the court concluded the time spent on exit inspections was de minimis and therefore not compensable.

Although Chavez argued the depositions refuted the employer’s study, the greatest time any deponent testified that an individual bag check took was 60 seconds, and several class members never underwent bag checks because they never brought a bag onto the premises, the court said. The study’s findings “strongly suggest the exit inspections took barely a few seconds and are thus not compensable.”

Further, “[o]nly Eric Chavez testified to always having to wait more than one minute for exit inspections,” the court wrote, Chavez having testified that he “always” had to wait at least four minutes. “The rest of the class members testified to either never waiting for an exit inspection, or waiting for an inspection less than 50 percent of the time.”

Converse’s timekeeping system records time in one-minute intervals. The study found that 95.9 percent of exit inspections took one minute or less and 99.5 percent of exit inspections had a wait time of two minutes or less. “These findings are significant because Converse’s timekeeping system cannot measure time in less than 1 minute increments … [and] the overwhelming majority—95.9 percent—of exit inspections would not have been measurable because they lasted less than one minute,” the court wrote.

Even taking into account the testimony of Chavez that he once waited 18 minutes for an exit inspection as well as that of two other workers—one who testified to waiting one to two minutes and the other who testified to waiting two minutes or more—the court was not convinced the time was enough to warrant compensation.

“[Three] out of 24 class member[s] arguably testified that their exit inspection took greater than one minute with regularity,” Judge Cousins wrote. “This testimony is insufficient to rebut the [study’s] finding that the overwhelming majority of exit inspections took less than one minute, especially where 21 other class members did not experience compensable exit inspections with any regularity,” Judge Cousins said.

The court granted Converse’s motion for summary judgment.

To read the order in Chavez v. Converse, Inc., click here.

Eight-Figure Settlements Continue for TCPA Disputes

By Christine M. Reilly, Chair, TCPA Compliance and Class Action Defense | Diana L. Eisner, Associate, Litigation

Multimillion-dollar settlements continue to be a popular solution to Telephone Consumer Protection Act (TCPA) class actions, as demonstrated by a recent retailer agreement.

U.S. District Judge Valerie Caproni recently granted final approval to a $14.5 million deal involving American Eagle Outfitters to end multiple lawsuits accusing the national retailer of sending thousands of “spam texts” to more than 600,000 consumers.

After four putative class actions were consolidated in New York federal court, the parties engaged in more than two years of litigation, including discovery and motion practice, before reaching a settlement via mediation. American Eagle agreed to pay a total of $14.5 million into a nonreversionary settlement fund for class member claims, administration expenses, class representative awards, and attorneys’ fees and costs.

The court granted preliminary approval in January and signed off on final approval of the deal in September. Class members will receive approximately $232 each, administration expenses topped $665,580, class counsel will receive more than $104,785 in costs and $4.35 million in fees, and a total of $10,000 in incentive fees will be paid to the four representatives.

More than 38,000 valid claim forms were submitted, the court said, with just nine members requesting to be excluded and six objections to the deal. Third-party defendant Experian Marketing Services objected to the agreement on the basis that the plaintiffs—by simply alleging a violation of the TCPA and nothing more—failed to demonstrate they had Article III standing.

Applying Robins v. Spokeo, the court reached the opposite conclusion, finding that the statutory violation alone was sufficient to establish a concrete injury.

“Plaintiffs’ receipt of unwanted and unauthorized telephone contact by an automated system is precisely the harm that Congress was trying to avoid when it enacted the TCPA,” the court said. “As such, Plaintiffs’ concrete injury is the invasion of the right created by the statute; their receipt of the telephone contact ‘presents a material risk of harm to the underlying concrete interest Congress sought to protect in passing’ the TCPA.”

Reviewing the other objections (two of which were withdrawn and one of which was untimely), the court found them “meritless.” The class notice was reasonable and adequate, the court said, and concerns about the settlement amount ignore “the very real litigation risks that Plaintiff faced,” particularly as the deal provides nearly 50 percent of the available statutory damages for a nonwillful violation of the TCPA.

Finding that all of the requirements of Rules 23(a) and (b) of the Federal Rules of Civil Procedure had been met and that the settlement amount fell “well within the range of reasonableness,” Judge Caproni granted final approval of the agreement.

To read the opinion and order in Melito v. American Eagle Outfitters, Inc., click here.

Why it matters

The $14.5 million deal is only the most recent multimillion-dollar TCPA settlement, and as class actions continue to be filed under the statute, it likely won’t be the last.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Manatt, Phelps & Phillips, LLP | Attorney Advertising

Written by:

Manatt, Phelps & Phillips, LLP

Manatt, Phelps & Phillips, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.